CVE-2014-6312 - Vulnerability Details - OpenCVE

Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Login Widget With Shortcode Project	Login Widget With Shortcode

Configuration 1 [-]

OR	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode::::::wordpress::*
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:1.0.1:::::wordpress::
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.0.1:::::wordpress::
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.0.2:::::wordpress::
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.1.3:::::wordpress::
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.2.3:::::wordpress::
	cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.2.4:::::wordpress::

No data.

References

Link	Providers
http://osvdb.org/show/osvdb/111700
http://osvdb.org/show/osvdb/111757
http://seclists.org/fulldisclosure/2014/Sep/58
http://www.exploit-db.com/exploits/34762
https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do
https://wordpress.org/plugins/login-sidebar-widget/changelog

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-10-15T14:00:00

Updated: 2024-08-06T12:10:13.274Z

Reserved: 2014-09-11T00:00:00

Link: CVE-2014-6312

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-10-15T14:55:08.683

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-6312

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-09-17T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-10-15T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20140917 CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2014/Sep/58"}, {"name": "34762", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/34762"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/login-sidebar-widget/changelog"}, {"tags": ["x_refsource_MISC"], "url": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do"}, {"name": "111757", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/111757"}, {"name": "111700", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/show/osvdb/111700"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-6312", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20140917 CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2014/Sep/58"}, {"name": "34762", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/34762"}, {"name": "https://wordpress.org/plugins/login-sidebar-widget/changelog", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/login-sidebar-widget/changelog"}, {"name": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do", "refsource": "MISC", "url": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do"}, {"name": "111757", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/111757"}, {"name": "111700", "refsource": "OSVDB", "url": "http://osvdb.org/show/osvdb/111700"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T12:10:13.274Z"}, "title": "CVE Program Container", "references": [{"name": "20140917 CSRF/XSS vulnerablity in Login Widget With Shortcode allows unauthenticated attackers to do anything an admin can do (WordPress plugin)", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2014/Sep/58"}, {"name": "34762", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/34762"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/login-sidebar-widget/changelog"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do"}, {"name": "111757", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/111757"}, {"name": "111700", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/show/osvdb/111700"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-6312", "datePublished": "2014-10-15T14:00:00", "dateReserved": "2014-09-11T00:00:00", "dateUpdated": "2024-08-06T12:10:13.274Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BE14D1C4-28D0-4F2E-A8FA-F2A119E4A7A7", "versionEndIncluding": "3.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:1.0.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F584D50A-5CC3-4F4B-96B2-FF953BBF0454", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.0.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "15C47416-41EC-4F85-8A2D-A278D2376D5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.0.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "ED84DCD6-25F1-462E-B971-137F7AFC5E84", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.1.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6707E23B-8728-417B-AC1F-356CE37EBD79", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.2.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6084CCC8-E03B-4793-9872-BEF1F697F5B2", "vulnerable": true}, {"criteria": "cpe:2.3:a:login_widget_with_shortcode_project:login_widget_with_shortcode:2.2.4:*:*:*:*:wordpress:*:*", "matchCriteriaId": "42B4CCDD-9B60-461F-A834-38AD3673BB62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site request forgery (CSRF) vulnerability in the Login Widget With Shortcode (login-sidebar-widget) plugin before 3.2.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the custom_style_afo parameter on the login_widget_afo page to wp-admin/options-general.php."}, {"lang": "es", "value": "Vulnerabilidad de CSRF en el plugin Login Widget Shortcode (login-sidebar-widget) anterior a 3.2.1 para Wordpress permite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para peticiones que realizan ataques de XSS a trav\u00e9s del par\u00e1metro custom_style_afo en la p\u00e1gina login_widget en admin/options-general.php."}], "id": "CVE-2014-6312", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-10-15T14:55:08.683", "references": [{"source": "cve@mitre.org", "url": "http://osvdb.org/show/osvdb/111700"}, {"source": "cve@mitre.org", "url": "http://osvdb.org/show/osvdb/111757"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Sep/58"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/34762"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do"}, {"source": "cve@mitre.org", "url": "https://wordpress.org/plugins/login-sidebar-widget/changelog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/show/osvdb/111700"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/show/osvdb/111757"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://seclists.org/fulldisclosure/2014/Sep/58"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.exploit-db.com/exploits/34762"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://security.dxw.com/advisories/csrfxss-vulnerablity-in-login-widget-with-shortcode-allows-unauthenticated-attackers-to-do-anything-an-admin-can-do"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://wordpress.org/plugins/login-sidebar-widget/changelog"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}